Use offense to inform defense.
Find flaws before the bad guys do.
Copyright SANS Institute
Author Retains Full Rights
This paper is from the SANS Penetration Testing site. Reposting is not permited without express written permission.
Interested in learning more?
Check out the list of upcoming events offering
"Hacker Tools, Techniques, Exploits, and Incident Handling (SEC504)"
at https://pen-testing.sans.org/events/
.
rr
eta
ins
ful
l
rig
hts
Windows Remote Desktop Heroes and Villains
tho
Windows Remote Desktop Heroes and Villains
GSEC Gold Certification
Au
Author: Greg Farnham
07
,
Adviser: Don Weber
20
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
th
2007
©
SA
NS
Ins
titu
te
Accepted: December 10
Greg Farnham
© SANS Institute 2007,
1
Author retains full rights.
.
hts
Windows Remote Desktop Heroes and Villains
Scenario...........................................................................................................4
1.2.
Remote Desktop Overview ..............................................................................5
1.3.
Remote Desktop Tips ......................................................................................7
ins
1.1.
Connect to the console...............................................................................7
1.3.2.
Query connected users ..............................................................................8
eta
1.3.1.
Network Configuration for Testing ...................................................................9
rr
1.4.
tho
RDP Vulnerability History......................................................................................10
2.1.
MS01-006 (Microsoft-MS01-006, 2001).........................................................10
2.2.
MS01-052 (Microsoft-MS01-052, 2004).........................................................10
2.3.
MS02-051 (Microsoft-MS02-051, 2007).........................................................11
2.4.
MS05-041 (Microsoft-MS05-041, 2005).........................................................11
Au
2.
ful
l
Introduction .............................................................................................................4
07
,
1.
rig
Outline
TSGrinder ......................................................................................................13
3.2.
ProbeTS.........................................................................................................14
3.3.
TSCrack.........................................................................................................15
3.4.
rdesktop .........................................................................................................16
3.5.
3.6.
4.
te
20
3.1.
Ins
titu
Key fingerprint
FA27
2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
3. = AF19
Villains
..................................................................................................................11
Cain and Able ................................................................................................17
SPIKE fuzzing tool, used in RDP DOS Advisory............................................17
Heroes ..................................................................................................................18
4.1.
Policies and Procedures ................................................................................18
Password Policy .......................................................................................19
4.1.2.
General Policies ......................................................................................19
SA
NS
4.1.1.
©
4.2.
Windows Server Configuration ......................................................................20
4.2.1.
Rename the Administrator Account ..........................................................20
4.2.2.
Configure Password Policy.......................................................................21
Greg Farnham
© SANS Institute 2007,
2
Author retains full rights.
.
hts
Windows Remote Desktop Heroes and Villains
Configure RDP Server Settings................................................................23
4.2.4.
Change the Remote Desktop port ............................................................23
4.2.5.
Configure Windows Firewall .....................................................................25
ful
l
4.3.
rig
4.2.3.
2X SecureRDP ..............................................................................................26
Server Configuration.................................................................................27
4.3.2.
SecureRDP Summary ..............................................................................29
IPSec .............................................................................................................29
eta
4.4.
ins
4.3.1.
Server Configuration.................................................................................31
4.4.2.
Client Configuration ..................................................................................35
4.4.3.
IP Security Monitor ...................................................................................37
4.4.4.
IPSec Summary .......................................................................................39
tho
OpenVPN.......................................................................................................39
Au
4.5.
rr
4.4.1.
Server Configuration.................................................................................40
4.5.2.
Client Configuration ..................................................................................43
4.5.3.
Firewall Configuration...............................................................................44
4.5.4.
OpenVPN Summary .................................................................................45
07
,
4.5.1.
4.6.
20
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
TLS based authentication ..............................................................................46
Future ...................................................................................................................47
6.
Traffic Captures ....................................................................................................49
7.
Summary ..............................................................................................................51
8.
References............................................................................................................52
©
SA
NS
Ins
titu
te
5.
Greg Farnham
© SANS Institute 2007,
3
Author retains full rights.
.
Introduction
rig
1.
hts
Windows Remote Desktop Heroes and Villains
ful
l
This paper will focus on a fictitious scenario of a non-profit organization that would like
ins
to understand the threats to remote desktop and improve security. This paper will review
eta
past vulnerabilities in the Windows Remote Desktop service, review threats, review mitigation
Scenario
tho
1.1.
rr
techniques and summarize the results.
Au
The organization, NPO, has limited funds and cannot afford to maintain an IT
07
,
infrastructure. NPO rents 6 internet based Windows 2003-SP2 servers. The servers are
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
20
located in the data center of the server provider. NPO does not have physical access to the
servers. They run a Voice over IP (VoIP) application that uses one udp port. The servers are
Ins
titu
te
not part of a domain and are managed by a Remote Desktop connection over the Internet.
NPO typically has four part time Administrators. NPO would like to know the threats from
allowing Remote Desktop access over the internet and identify possible mitigation techniques
NS
to those threats.
SA
The NPO System Administrators will access the servers using Windows Remote
Desktop. They will run Windows XP Home or Windows XP Pro. They typically access the
©
servers from residential internet connections. The residential connections can have static or
Greg Farnham
© SANS Institute 2007,
4
Author retains full rights.
.
hts
Windows Remote Desktop Heroes and Villains
rig
dynamic IP addresses and often include a home router with Network Address Translation
Support Windows XP Home and Professional
•
Support dynamic IP addresses
•
Support clients using NAT
•
Increase Security
•
Low Cost
•
Low Client Footprint
Au
tho
rr
eta
ins
•
ful
l
(NAT). Any security improvements will have to meet these basic requirements:
Remote Desktop Overview
07
,
1.2.
Key fingerprint
= AF19 Desktop
FA27 2F94
FDB5 built
DE3Dinto
F8B5
06E4 A169
4E46Server which allows a user to
Remote
is998D
a feature
Windows
2003
20
remotely connect to the server desktop. With the remote desktop the remote user can
te
interact with the server just like they are logged in directly at the console. For this paper, we
Ins
titu
are focusing on “Remote Desktop for Administration”. The Administration mode allows 2
concurrent connections and is intended primarily for Administration. Remote Desktop can
NS
also be used in “Application Mode” which allows multiple users to connect and run
applications on the server. Remote Desktop has also been known as “Terminal Services”.
SA
This paper will use Remote Desktop and Terminal Services interchangeably.
Remote
©
Desktop Protocol (RDP) is the protocol used for remote desktop connections. The default
Greg Farnham
© SANS Institute 2007,
5
Author retains full rights.
.
hts
Windows Remote Desktop Heroes and Villains
(Wikipedia-RDP, 2007)
ins
Remote Desktop Version History
ful
l
rig
port used is TCP 3389. The version history of Remote Desktop Protocol is shown in Table 1
Remote Desktop Version
Windows NT 4.0 Server, Terminal Server
4.0
eta
Operating System
5.0
tho
Windows 2000 Server
rr
Edition
Windows XP Pro
5.1
5.2
Au
Windows Server 2003
6.0
07
,
Windows Vista
20
Key fingerprint
AF19 FA27
2F94 998D FDB5 DE3D F8B5 06E4
Windows=Server
2008
6.1 A169 4E46
Table 1
te
For Windows Server 2003, remote administrators can connect to the console in
Ins
titu
addition to the two virtual sessions.
Remote Desktop Protocol currently will only run over
TCP/IP, but it has been designed to be independent of the transport and could be run over
NS
other transports in the future (Microsoft-186607, 2007). Remote Desktop offers several
features, among them are RC4 stream cipher with 56 or 128 bit encryption, Roaming
SA
disconnect, Remote control and Bandwidth reduction (Microsoft-aa383, 2007). With Remote
©
Desktop, client resources such as file systems, printers, and audio can be redirected to the
server (Microsoft-techts, 2005). This allows for example, a user to print to their local printer.
Greg Farnham
© SANS Institute 2007,
6
Author retains full rights.
.
hts
Windows Remote Desktop Heroes and Villains
rig
There are additional clients available for remote desktop including Windows CE
Remote Desktop Tips
ins
1.3.
ful
l
“Remote Desktop Web Connection” and the Linux based rdesktop program.
Connect to the console
tho
1.3.1.
rr
eta
These tips will be useful when using the Remote Desktop functionality.
Au
The console login allows a remote user to interact directly with the console (Microsoft278845, 2007). It may be useful for applications that display messages directly to the
07
,
console. =The
physical
console
will be
locked
when
remote
Key fingerprint
AF19
FA27 2F94
998D FDB5
DE3D
F8B5
06E4 aA169
4E46user is connected. The console
20
connection will allow a connection even if the two virtual connections are in use. The console
te
connection will also allow you to connect if someone else is connected to the console
Ins
titu
remotely. In this situation, it will disconnect the other user. Normally, a user starts remote
desktop from the All Programs menu or by running mstsc.exe without any options. The user
will then get a “Remote Desktop Connection” window where they can enter the IP address
NS
and other options. To connect to the console, a user adds the “–console” to the mstsc.exe
SA
command line. With this option, the user will get the same “Remote Desktop Connection”
©
window, but they will be connecting to the console. The console is also known as Session 0.
Greg Farnham
© SANS Institute 2007,
7
Author retains full rights.
.
Start>Run and type in “mstsc.exe -console” and hit Enter.
Query connected users
eta
1.3.2.
ins
Log in with the Remote Desktop login window that appears
ful
l
rig
hts
Windows Remote Desktop Heroes and Villains
rr
The quser command will display all connected users. This is useful to see which users
tho
are logged in with RDP. It can be run by anyone with a Command Prompt on the server. In
Au
addition, it can be used to query the RDP connections on a remote computer using the
07
,
/SERVER option.
Key fingerprint
= AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Start>Run>CMD
20
Type quser in the Command Prompt window and hit Enter.
te
In the example shown below, there is one use connected to the console (ID=0) with
Ins
titu
session rdp-tcp#4 with username npoking. There is another session (ID=3) with the same
username that is currently disconnected. The “>” before the username for the first user,
NS
indicates the session that ran the quser command.
SESSIONNAME
rdp-tcp#4
ID STATE
0 Active
3 Disc
IDLE TIME
.
none
©
SA
C:\ >quser
USERNAME
>npoking
npoking
Greg Farnham
© SANS Institute 2007,
8
Author retains full rights.
.
Network Configuration for Testing
rig
1.4.
hts
Windows Remote Desktop Heroes and Villains
ful
l
Testing was performed in various configurations including using the same network
ins
segment and using VMWare. The network diagram shown in Figure 1 shows an example
eta
configuration for testing. It includes a Router with NAT and the Server on a separate
07
,
Au
tho
rr
segment from the client.
©
SA
NS
Ins
titu
te
20
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Greg Farnham
© SANS Institute 2007,
Figure 1
9
Author retains full rights.
.
RDP Vulnerability History
ins
2.
ful
l
rig
hts
Windows Remote Desktop Heroes and Villains
Like most products, Microsoft’s Remote Desktop feature using the RDP protocol has
eta
had vulnerabilities in the past. Many of these vulnerabilities are Denial of Service (DOS) as
rr
shown below. These are not as severe as a remote exploit, but DOS vulnerabilities are
tho
sometimes a precursor to a remote exploit. All of the vulnerabilities below have been
Au
patched. Likely, there will be additional vulnerabilities in the future.
MS01-006 (Microsoft-MS01-006, 2001)
07
,
2.1.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
20
This vulnerability was reported by Yoichi Ubukata and Yoshihiro Kawabata. A patch
te
has been released (Q286132). A remote user can send malformed RDP packets to the
Ins
titu
server and cause it to stop responding
2.2.
MS01-052 (Microsoft-MS01-052, 2004)
NS
This bulletin originated from a DOS vulnerability reported by Luciano Martins in
SA
October, 2001 (Martins, 2001). A remote user can send malformed RDP packets to the
©
server and cause it to stop responding. A patch has been released (Q307454).
Greg Farnham
© SANS Institute 2007,
10
Author retains full rights.
.
MS02-051 (Microsoft-MS02-051, 2007)
rig
2.3.
hts
Windows Remote Desktop Heroes and Villains
ful
l
This bulletin originated from vulnerabilities reported to the bugtraq mailing list by Ben
ins
Cohen and Pete Chown in August 2002 (Cohen, 2002). A patch (Q324380) has been
eta
released. The denial of service vulnerability allows an attacker to send a specially crafted
rr
package and cause the server to reboot. The packet can be sent prior to authentication. The
tho
keystroke vulnerability is interesting because it was introduced by a change to increase
performance. It was introduced in RDP 5.0. In the original post, the author recommends
Au
using the RDP 4.0 client since it was not vulnerable. The checksum vulnerability could allow
07
,
an attacker with access to the RDP traffic to gather information.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
MS05-041 (Microsoft-MS05-041, 2005)
20
2.4.
Ins
titu
te
This bulletin originated from a vulnerability reported by Tom Ferris. It was posted in
August of 2005. Similar to some of the other RDP DOS vulnerabilities, an attacker can send
malformed RDP packets and cause the server to stop responding.
Villains
NS
3.
SA
There are a number of different threats (Villains) that arise from having a Remote
©
Desktop connection available on the internet. Many of the threats can be categorized as
Greg Farnham
© SANS Institute 2007,
11
Author retains full rights.
.
hts
Windows Remote Desktop Heroes and Villains
rig
Information Disclosure, Dictionary, Brute Force, Denial of Service and Man in the Middle
ful
l
(MITM) attacks. Information Disclosure is an attack that results in the disclosure of
ins
information that is not intended to be public. The information could be confidential data such
as Human Resource records or something less obvious such as knowing when an
eta
Administrator is connected to a server. A Dictionary attack can be used to guess a password
rr
by trying all the passwords in a list or dictionary. A Brute Force attack can also be used to
tho
guess a password. An attacker will repeatedly try all possible passwords until he finds the
Au
valid one.
07
,
A Denial of Service attack is used to disrupt normal operations. While the attacker will
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
not gain information or access to a system, he is able to deny its use to legitimate users. This
20
can result in significant loss of productivity. A Denial of Services (DOS) can come in several
te
different forms. We saw in the Vulnerability History section that there have been several
Ins
titu
specific DOS vulnerabilities in RDP. Another type is a Distributed Denial of Service (DDOS).
In a DDOS attack, the attacker has a large number of hosts, hundreds or thousands that he
NS
uses to send normal requests to the victim. The victim is overwhelmed and cannot service
SA
legitimate users.
The Man in the Middle (MITM) attack is one of the more complex attacks. In this
©
attack, an attacker will impersonate a server. The user will unknowingly create an
Greg Farnham
© SANS Institute 2007,
12
Author retains full rights.
.
hts
Windows Remote Desktop Heroes and Villains
rig
authenticated session to the attacker allowing the attacker to capture the credentials. The
ful
l
attacker will then create an authenticated session to the real server. The attacker will sit in
ins
the middle and pass traffic in both directions between the client and the server. The attacker
is able to view all the traffic (unencrypted) between the client and the real server. The user is
eta
unaware that he is being monitored. In April of 2003, Erik Forsberg released an advisory
rr
describing a man in the middle vulnerability in RDP (Forsberg, 2003).
In it he described how
tho
there is no verification of the identity of the server. In May of 2005, Massimiliano Montoro
Au
released a paper that explains how RDP is still vulnerable to MITM (Montoro, 2005). In it, he
07
,
explains that the use of a private key hard coded in one of the DLLs allows an attacker to
without the client knowing.
20
Key fingerprint
2F94 998D
DE3D
06E4 to
A169
4E46
calculate=aAF19
validFA27
signature.
ThisFDB5
allows
theF8B5
attacker
successfully
impersonate the server
te
There are a number of specific tools designed for attacking Remote Desktop.
Like
Ins
titu
many tools, they can be used for good or for bad. The Villain moniker only applies when used
for malicious purposes.
TSGrinder
NS
3.1.
SA
TSGrinder is a tool that can be used to perform a dictionary attack on a Remote
©
Desktop server. It leverages tools available from Microsoft for load testing Terminal Services.
Greg Farnham
© SANS Institute 2007,
13
Author retains full rights.
.
hts
Windows Remote Desktop Heroes and Villains
rig
TSGrinder will sequentially try passwords from a dictionary list file. It will also allow the words
ful
l
in the list file to be modified with “1337” substitution. For example, a 3 would be substituted
ins
for an E in the list of passwords. It supports multiple threads and can try up to 5 passwords
per connection. The Remote Desktop server will drop the connection and log the event on
eta
the 6th try. TSGrinder is a Windows executable. Executing the command without any
rr
options will present a usage page.
Au
Usage:
tsgrinder [options] server
tho
C:\tsgrinder>tsgrinder
tsgrinder version 2.03
te
20
07
,
Options:
-w dictionary file (default 'dict')
-lAF19
'leet'
file
Key fingerprint =
FA27translation
2F94 998D FDB5
DE3D F8B5 06E4 A169 4E46
-d domain name
-u username (default 'administrator'
-b banner flag
-n number of simultaneous threads
-D debug level (default 9, lower number is more output)
Ins
titu
Example:
tsgrinder -w words -l leet -d workgroup -u administrator -b -n 2 10.1.1.1
3.2.
ProbeTS
NS
ProbeTS is a tool to find Terminal Services on a network. ProbeTS requires an
authenticated connection to the target. This limits its use to be within the same domain.
SA
Instead of scanning ports, it uses RPC to determine if Terminal Services is running on the
©
target. This would typically only be useful for scanning an internal network by a Domain
Greg Farnham
© SANS Institute 2007,
14
Author retains full rights.
.
hts
Windows Remote Desktop Heroes and Villains
rig
Administrator. Because it requires an authenticated connection, an attacker on the internet
ful
l
could not use this tool to determine if an NPO server is running Terminal Services. This tool
ins
is not a threat in the NPO scenario. Executing the command without any options will present
C:\ >probets
ProbeTS v1.1 - [email protected]
Terminal Server Probe
Au
tho
Usage: probets NBIOSName/IP
i.e. probets 192.168.1.1
-orUsage: probets CClass [BegIP] [EndIP]
i.e. probets 192.168.1 1 200
rr
eta
a usage page.
07
,
Get hammered at HammerofGod.com
20
Key fingerprint
= AF19
FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
3.3.
TSCrack
TSCrack is a tool for performing a dictionary and brute force attack against a Remote
Ins
titu
te
Desktop server. It uses screen scraping of the graphical logon to test for success. TSCrack
supports two simultaneous connections and can optionally prevent the system from logging
failed password attempts by limiting the number of tries per connection. Executing the
NS
command without any options will present a usage page.
©
SA
C:\ >tscrack
terminal services cracker (tscrack.exe) v2.0.55 2002-13-10 04:13 AM
(c) 2002 by gridrun [TNC] - All rights reserved http://softlabs.spacebitch.com
Usage help:
tscrack [switch] [switch [arg]] ... <Host/IP[:port]>
Parameters:
<Host/IP[:port]> : DNS name or IP address of target server, optional port
Greg Farnham
© SANS Institute 2007,
15
Author retains full rights.
.
hts
Windows Remote Desktop Heroes and Villains
eta
ins
ful
l
Print usage help and exit
Print version info and exit
Print chipher strenght info and exit
Enable failed password beep
Use two simultaneous connections [EXPERIMENTAL]
Prevent System Log entries on targeted server
Uninstall tscrack and remove components
Wordlist entry to start cracking with
Sampling Frequency (Delay between samples in ms)
Account name to use, defaults to Administrator
Wordlist to use; tscrack tries blank passes if omitted
Use <password> to logon instead of wordlist/blank pass
Specify domain to attempt logon to
rdesktop
tho
3.4.
:
:
:
:
:
:
:
:
:
:
:
:
:
rr
-h
-V
-s
-b
-t
-N
-U
-f <number>
-F <delay>
-l <user>
-w <wordlist>
-p <password>
-D <domain>
rig
Switches:
Au
The rdesktop application is an open source client that runs on Unix/Linux based
systems. It can be used for example by a linux user to connect to a Windows 2003 Remote
07
,
Desktop.= There
is a patch
available
that allows
it to A169
be used
Key fingerprint
AF19 FA27
2F94 998D
FDB5 DE3D
F8B5 06E4
4E46to perform a dictionary attack
20
(Gates, 2007). The usage information with some common options is shown below. With the
te
brute force patch, the –p option will accept a file name with a dictionary list.
©
SA
NS
Ins
titu
Usage: rdesktop [options] server[:port]
Description
-u <username>
Username for authentication on the server.
-d <domain>
Domain for authentication.
-n <hostname>
-p <password>
The password to authenticate with. Note that this may have no effect if
"Always prompt for password" is enabled on the server. WARNING: if you specify a
password on the command line it may be visible to other users when they use tools
like ps. Use -p - to make rdesktop request a password at startup (from standard
input).
Client hostname. Normally rdesktop automatically obtains the hostname of
the client.
-f
Enable fullscreen mode. This overrides the window manager and causes the
rdesktop window to fully cover the current screen. Fullscreen mode can be toggled
Greg Farnham
© SANS Institute 2007,
16
Author retains full rights.
.
hts
Windows Remote Desktop Heroes and Villains
Cain and Able
eta
3.5.
ins
ful
l
rig
at any time using Ctrl-Alt-Enter.
-0
Attach to the console of the server (requires Windows Server 2003 or
newer).
-4
Use RDP version 4.
-5
Use RDP version 5 (default).
rr
Cain an Able is a multi featured tool for Windows. It includes many password related
tho
features such as brute force, dictionary and cryptanalysis. It also has features for sniffing,
Au
recording voip conversations and wireless. One of the features related to Remote Desktop is
07
,
the ability to do a MITM attack against RDP using Arp Poison Routing (APR).
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
SPIKE fuzzing tool, used in RDP DOS Advisory
20
3.6.
te
In August of 2005 Tom Ferris released an advisory on the Remote Desktop DOS
Ins
titu
(Ferris, 2005) identified in Microsoft Bulletin MS05-041. The advisory includes the SPIKE
script and usage information for causing a denial of service on a Remote Desktop server.
SPIKE is a linux based Fuzzer Creation Kit. Security Researchers can use SPIKE to test how
NS
applications respond to malformed packets. Fuzzing is an automated technique where valid
SA
input is repeatedly modified creating fuzzed input. Each variation of the input data is sent to
the application to see if it causes a problem such as a crash. For the RDP DOS, the generic
©
tcp fuzzer (generic_send_tcp) program included with SPIKE is used. A SPIKE script
Greg Farnham
© SANS Institute 2007,
17
Author retains full rights.
.
hts
Windows Remote Desktop Heroes and Villains
rig
remoteass.spk defines the input for the generic tcp fuzzer. Below is abridged output from
ful
l
running the RDP DOS with SPIKE.
tho
Heroes
Au
4.
rr
eta
ins
$ ./generic_send_tcp 192.168.1.101 3389 remoteass.spk 1 0
Total Number of Strings is 681
Fuzzing
Fuzzing Variable 1:0
Fuzzing Variable 1:1
Variablesize= 5004
Fuzzing Variable 1:2
Variablesize= 5005
Fuzzing Variable 1:3
Variablesize= 21
We have seen that there are many threats to Remote Desktop. Now we will look at
07
,
techniques to improve security, the Heroes. In this scenario, some techniques such as an
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
20
external firewall or external VPN device had to be ruled out due to cost. The primary area
te
researched was improving security on the Server. A focus was put on limiting access to the
Ins
titu
Remote Desktop on the server. The goal is to control access to the Remote Desktop login
screen. Specifically, only allowing access to authorized Administrators and denying access
Policies and Procedures
SA
4.1.
NS
to the rest of the internet.
Policies and Procedures are a valuable component of security solutions. Polices are
©
used to define the required configuration of systems and behavior of personnel. Procedures
Greg Farnham
© SANS Institute 2007,
18
Author retains full rights.
.
hts
Windows Remote Desktop Heroes and Villains
rig
are used to define how a repeatable task should be performed. Procedures are embedded in
Password Policy
ins
4.1.1.
ful
l
the latter sections describing solutions for improving security.
eta
For this scenario, a password policy is needed. With the Remote Desktop port
rr
available to the general internet, the servers can easily be subjected to a brute force
tho
password attack. A strong password policy will help to mitigate the brute force threat. Users
Au
are encouraged to think in terms of a pass phrase. Using a phrase typically has a large
07
,
number of characters and is easier to remember than random sequences of letters. The
following =was
decided
for 998D
the password
policy.
Key fingerprint
AF19
FA27 2F94
FDB5 DE3D
F8B5 06E4 A169 4E46
Passwords must be 14 characters or more in length.
•
Passwords must be changed every 6 months.
•
Passwords must meet Windows default complexity requirements.
•
Passwords must contain at least 3 types from: lower case, upper case, number,
Ins
titu
te
20
•
special
•
Passwords must be securely stored.
NS
Passwords must be securely communicated.
General Policies
SA
4.1.2.
•
A few general policies have been defined to help keep operations secure and ensure
©
that client machines meet a minimum standard.
Greg Farnham
© SANS Institute 2007,
19
Author retains full rights.
.
hts
Windows Remote Desktop Heroes and Villains
Servers must have Auto Update turned with automatic installation.
•
Server must automatically run an up to date Anti-Virus program.
•
All Administrators must run Windows XP SP2 or higher.
ful
l
Windows Server Configuration
ins
4.2.
rig
•
eta
There are a few things on the Windows Server configuration that directly relate to
rr
securing Remote Desktop Access. This is not intended to be a complete Windows Server
tho
hardening guide. This section will cover Rename the Administrator account, Configure
Au
Password Policy, Configure RDP Server Settings, Change the Remote Desktop Port and
07
,
Configure Windows Firewall.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Rename the Administrator Account
20
4.2.1.
te
Renaming the Administrator Account will help to prevent a brute force attack on the
Ins
titu
Administrator account. Most brute force attacks will use the account name “Administrator”.
This is the default name and this account is not subject to account lockout. This configuration
change is done by editing the Local security policy (Microsoft-2230, 2005). For the example
NS
shown, we are changing the Administrator account name to npoking.
Start>Settings>Administrative Tools>Local Security Policy
•
Local Policies>Security Options>Accounts: Rename administrator account
•
Change the value to npoking
©
SA
•
Greg Farnham
© SANS Institute 2007,
20
Author retains full rights.
.
Au
tho
rr
eta
ins
ful
l
rig
hts
Windows Remote Desktop Heroes and Villains
Configure Password Policy
07
,
4.2.2.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
20
Windows Server has a very robust password policy enforcement capability. This will
te
be used to enforce our password policy from above. The password policy is also configured
Ins
titu
by making changes to the Local Security Policy.
Start>Settings>Administrative Tools>Local Security Policy
•
Select Account Policies>Password Policy
•
Change settings per password policy.
©
SA
NS
•
Greg Farnham
© SANS Institute 2007,
21
Author retains full rights.
.
rr
eta
ins
ful
l
rig
hts
Windows Remote Desktop Heroes and Villains
Select Account Policies Lockout Policy
•
Change the Account lockout threshold to 5
•
Accept the defaults of 30 minutes for the other 2 settings.
07
,
Au
tho
•
NS
Ins
titu
te
20
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
SA
Local Security Settings can be exported and used to automate the configuration of
©
another server.
•
Select the Security Settings in the left pane
Greg Farnham
© SANS Institute 2007,
22
Author retains full rights.
.
•
Type in localpol as the file name and click OK.
4.2.3.
Configure RDP Server Settings
ful
l
Select Action>Export Policy…
ins
•
rig
hts
Windows Remote Desktop Heroes and Villains
eta
The RDP Server settings can be used to increase security. Changes will only allow
rr
high encryption and limit some of the functionality. Limiting functionality will lower the attack
tho
surface available to an attacker.
Start>Settings>Administrative Tools>Terminal Services Configuration
•
Select Connections, Double Click RDP-Tcp
•
Make the following changes
07
,
Au
•
General
Tab:998D
Encryption
level:
High
Key fingerprint = •AF19
FA27 2F94
FDB5 DE3D
F8B5
06E4 A169 4E46
Environment: Toggle on Do not allow an initial program...
•
Remote Control: Toggle on Do not allow remote control
•
Client Settings: Disable Drive mapping, Windows printer mapping, LPT port
te
20
•
Ins
titu
mapping, COM port mapping and Audio mapping.
4.2.4.
Change the Remote Desktop port
NS
Changing the Remote Desktop port lowers the visibility of the server. It will require an
SA
attacker to do more than a port scan of common ports to find the RDP listening port. It could
also help avoid a possible future worm that only propagates on the default port. This change
©
is accomplished by changing a registry key (Microsoft-306759, 2007). Note: A reboot is
Greg Farnham
© SANS Institute 2007,
23
Author retains full rights.
.
hts
Windows Remote Desktop Heroes and Villains
rig
required for this change to take affect.
ful
l
To change the registry key:
Start>Run>regedit
•
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\W
ins
•
eta
inStations\RDP-Tcp\PortNumber
07
,
Au
tho
rr
For the example shown, we are changing it to 50101 (decimal).
Ins
titu
te
20
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
The RDP settings are stored in the registry. These settings can be exported as a
registry file and used to automate the configuration on other servers.
Select the RDP-Tcp folder in the left pane
•
Select File>Export
•
Enter rdp for the filename and click OK.
©
SA
NS
•
Greg Farnham
© SANS Institute 2007,
24
Author retains full rights.
.
Configure Windows Firewall
rig
4.2.5.
hts
Windows Remote Desktop Heroes and Villains
ful
l
The host firewall will be configured to allow only 2 exceptions. One for Remote
ins
Desktop access (TCP 50101) and one for the VoIP applications (UDP 49720).
Start>Settings>Control Panel>Windows Firewall
•
Note: You may need to start the Windows Firewall/ICS service.
•
Toggle the FW on.
•
Use Add Port to create custom services for TCP 50101 and UDP 49720.
•
Uncheck all other Exceptions.
tho
rr
eta
•
Au
Note: If accessing remotely, be careful not to lock yourself out of the server. Configure
07
,
the exceptions for the RDP port before turning the firewall on.
©
SA
NS
Ins
titu
te
20
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Greg Farnham
© SANS Institute 2007,
25
Author retains full rights.
.
07
,
Au
tho
rr
eta
ins
ful
l
rig
hts
Windows Remote Desktop Heroes and Villains
20
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
2X SecureRDP
Ins
titu
te
4.3.
SecureRDP looked like a promising solution. SecureRDP is provided by 2X. 2X has a
number of thin client computing products. SecureRDP is freeware available for download at
NS
no charge. It is an application that runs on the server and is specifically designed to control
SA
access to the RDP Service. SecureRDP allows configuring access to RDP based on IP
Address, Mac Address, Computer Name, RDP Client version and time of day (SecureRDP,
©
2007). It also allows limiting the number of RDP sessions based on IP Address or User
Greg Farnham
© SANS Institute 2007,
26
Author retains full rights.
.
hts
Windows Remote Desktop Heroes and Villains
Server Configuration
ins
4.3.1.
ful
l
rig
Name.
Installation on the server was easy with a standard setup program. Nothing is
eta
required on the client. The configuration was also easy. The IP Address Logon Filter allows
07
,
Au
tho
rr
for simple adding and removing of IP addresses or ranges.
Ins
titu
te
20
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
©
SA
NS
The application has customizable pop up windows for when someone is denied login.
Greg Farnham
© SANS Institute 2007,
27
Author retains full rights.
.
Au
tho
rr
eta
ins
ful
l
rig
hts
Windows Remote Desktop Heroes and Villains
07
,
The standard message does give away the fact that SecureRDP is being used. It is
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
20
desirable to avoid this kind of information leak. Testing showed that if the Message Title and
te
Message Content are deleted, no pop up window is displayed. There is one major short
Ins
titu
coming of the IP Address Logon Filter. It filters based on the local IP address of the client. In
our test configuration shown in Figure 1, the local IP address for the client 192.168.1.2 had to
be entered, not the NAT'd IP address 172.16.1.1.
NS
The MAC Address Logon filter will only work if the client and server are on the same
SA
network segment. A client MAC Address will only be visible to the server if it is on the same
©
network segment. For a connection that goes through a router, the MAC Address of the client
will not be visible. The NPO Servers are in a data center on the internet and all clients will be
Greg Farnham
© SANS Institute 2007,
28
Author retains full rights.
.
hts
Windows Remote Desktop Heroes and Villains
rig
connecting through a routed connection. The MAC Address Logon filter is not applicable for
ful
l
the NPO scenario.
ins
The Client version Logon filter might be useful in denying access to some attackers,
eta
but it would also put a burden on our administrators to have a specific client version.
rr
The Computer name Logon filter might be useful. One issue with this option is that
tho
Administrators may sometimes use different computers, for example at a friend’s house. It
would be possible to change the name of the client computer to match one on the allowed list.
07
,
Au
Changing a computer name is a burden and does require a reboot.
20
Key fingerprint
998D FDB5 DE3D
F8B5 06E4 A169 4E46
4.3.2. = AF19 FA27 2F94
SecureRDP
Summary
After testing, it was determined that this solution is not applicable to the NPO scenario.
Ins
titu
te
This is mainly due to the fact that it does not handle NAT’d IP addresses. Also, if IP address
filtering was the approach, the Windows firewall would be sufficient by using a custom scope.
The other filtering mechanisms do not meet the requirements.
IPSec
NS
4.4.
SA
IPSec is an internet standard protocol suite that provides encryption and
Initially, I did not think
©
authentication. It is built into Windows XP and Windows Server 2003.
Greg Farnham
© SANS Institute 2007,
29
Author retains full rights.
.
hts
Windows Remote Desktop Heroes and Villains
rig
this was viable in our scenario due to the Windows XP Home requirement and NAT
ful
l
requirement. After doing the research, I learned that these requirements could be met.
ins
Regarding Windows XP Home, there is a misconception that IPSec is not supported. The
IPSec GUI is not available on Windows XP Home. However, the IPSec functionality is
eta
available. It can be configured using the ipseccmd command line tool. The ipseccmd
rr
command is available as part of the Windows XP Service Pack 2 Support Tools (Microsoft-
tho
49ae, 2004). For the NAT requirement, this had been a problem for IPSec. If a layer 4
Au
header is protected by IPSec, then if the traffic gets NAT'd, the header cannot be updated to
07
,
reflect the new IP address. This issue was resolved with the NAT-T standard and Microsoft
Windows XP Service Pack 2.
20
Key fingerprint
AF19
FA27to
2F94
998D it
FDB5
DE3D F8B5 06E4 2006).
A169 4E46This update is included in
released =an
update
support
(Microsoft-818043,
te
For Windows IPSec, peer authentication can be done using Kerberos, Pre-shared Key
Ins
titu
or Certificates. In the NPO scenario, peers are not part of a domain, so Kerberos can’t be
used. Pre-shared key was selected over Certificates to avoid the overhead of installing and
NS
maintaining a Windows Certificate Server. A draw back of using pre-shared keys is that they
are stored in clear text in the registry (Microsoft-ipsecfaq, 2006). This is an acceptable risk for
SA
the NPO scenario. IPSec will be configured with pre-shared keys to authenticate the server
©
and client with each other. To implement IPSec, configuration is required on the server and
Greg Farnham
© SANS Institute 2007,
30
Author retains full rights.
.
hts
Windows Remote Desktop Heroes and Villains
Server Configuration
ins
4.4.1.
ful
l
rig
the client.
These instructions were created using “IPSec to secure Terminal Services” (Microsoft-
eta
816521, 2007) as a reference.
Start>Settings>Administrative Tools>Local Security Policy
•
Right click on IP Security Policies on Local Computer and select “Manage IP
tho
rr
•
filter…”
Click the Add button
•
Enter the name rdp1
•
Uncheck the “Use Add Wizard” button
07
,
Au
•
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Click the Add button
•
Select “Any IP Address” for the Source address.
•
Select “My IP Address” for the Destination address.
•
Verify that the Mirror box is checked.
•
Select the Protocol tab
•
Set the Protocol type to TCP.
•
Select From any port
•
Select To this port and enter 50101.
©
SA
NS
Ins
titu
te
20
•
Greg Farnham
© SANS Institute 2007,
31
Author retains full rights.
.
tho
rr
eta
ins
ful
l
rig
hts
Windows Remote Desktop Heroes and Villains
Click OK, Click OK,
•
Click on the Manage Filter Actions Tab
07
,
Au
•
•
Key fingerprint = •AF19
FA27 2F94
DE3D
F8B5box
06E4 A169 4E46
Uncheck
the998D
UseFDB5
Wizard
check
Click on the Add… button
•
Click the General Tab
•
Enter rdp-filteraction for the name
•
Click the Security Methods Tab
•
Select Negotiate Security
•
Click Add…
•
Select Integrity and encryption
•
Click OK
NS
Ins
titu
te
20
•
Verify that Security Method is ESP[3DES,SHA]
•
Click OK
©
SA
•
•
Click Close
•
Now create the Policy
•
In the right pane of the Local Security Settings window, right click and select
Greg Farnham
© SANS Institute 2007,
32
Author retains full rights.
.
hts
Windows Remote Desktop Heroes and Villains
rig
“Create IPSec Security Policy”.
Click Next
•
Enter rdp-pol for the name. Click Next
•
Uncheck the “Activate the default response rule”, click Next
•
Click Next
•
Click Finish
•
Click the General Tab
•
Click the Settings or Advanced button
•
Click the Methods button
•
Verify the IKE, 3DES, SHA1, Medium(2) is top in the list.
07
,
Au
tho
rr
eta
ins
ful
l
•
©
SA
NS
Ins
titu
te
20
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
•
Click OK
Greg Farnham
© SANS Institute 2007,
33
Author retains full rights.
.
hts
Windows Remote Desktop Heroes and Villains
Click OK
•
Click the Rules Tab
•
Uncheck the Use Add Wizard check box
•
Click Add…
•
Select the rdp1 filter list.
•
Click on the Filter Action tab.
•
Select the rdp-filteraction radio button.
•
Click on the Authentication Methods tab.
•
Click Add
•
Select Use this string (preshared key):
•
Enter the string npotest [a stronger key would be used in actual deployment]
•
Click OK
•
Select Kerberos, click Remove, click Yes
•
Click OK, Click OK
•
Right click rdp-pol and select Assign
07
,
Au
tho
rr
eta
ins
ful
l
rig
•
20
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
The server can also be configured using the netsh command line utility. In Windows
te
Server 2003, the XP functionality from ipseccmd was moved into netsh. The following
Ins
titu
commands will configure IPSec on the Server.
:IPSec Policy Definition
netsh ipsec static add policy name="rdp-pol" description="Remote Desktop
policy" activatedefaultrule=no assign=no
NS
:IPSec Filter List Definitions
netsh ipsec static add filterlist name="rdp-filter1" description="All
Connections to RDP"
©
SA
:IPSec Filter Definitions
netsh ipsec static add filter filterlist="rdp-filter1" srcaddr=any dstaddr=me
description="RDP connections" protocol=TCP
mirrored=yes srcport=0 dstport=50101
Greg Farnham
© SANS Institute 2007,
34
Author retains full rights.
.
hts
Windows Remote Desktop Heroes and Villains
ful
l
rig
:IPSec Filter Action Definitions
netsh ipsec static add filteraction name="rdp-filteraction1"
description="encrypt" qmpfs=no inpass=no soft=no action=negotiate
qmsecmethods="ESP[3DES,SHA1]"
ins
:IPSec Rule Definitions
netsh ipsec static add rule name="rdp-rule" policy="rdp-pol" filterlist="rdpfilter1" psk="npotest" filteraction="rdp-filteraction1"
Client Configuration
tho
4.4.2.
rr
eta
For definitions of each command, see (Microsoft-netsh, 2005).
Au
The configuration on the client is similar to the server. The main difference is when
configuring the IP Filter list, use “My IP Address” for the Source and the specific server IP
07
,
address for the destination.
©
SA
NS
Ins
titu
te
20
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Greg Farnham
© SANS Institute 2007,
35
Author retains full rights.
.
.
07
,
Au
tho
rr
eta
ins
ful
l
rig
hts
Windows Remote Desktop Heroes and Villains
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
20
The IPSec client configuration needs to be repeated for each server a user will connect
te
to.
Ins
titu
The client can also be configured using the ipseccmd command line utility. For
Windows XP Home, the only option for configuring IPSec is to use ipseccmd. The ipseccmd
utility requires installation of Windows XP Support tools (Microsoft-49ae, 2004). During
NS
installation, the “complete” option must be selected instead of the default “typical”. Otherwise,
SA
ipseccmd will not be installed.
©
Once ipseccmd is installed, the client can be configured with a one line command
which could be stored in a batch file.
Greg Farnham
© SANS Institute 2007,
36
Author retains full rights.
.
hts
Windows Remote Desktop Heroes and Villains
rig
The following command should be entered on one line:
ful
l
ipseccmd.exe -f 0+172.16.1.10/255.255.255.255:50101:TCP -n ESP[3DES,SHA] -a
PRESHARE:"npotest" -1s 3DES-SHA-2 -w reg -p rdppol -r rdprule –x
•
ins
Below is a summary of each parameter:
-f 0+172.16.1.10/255.255.255.255:50101:TCP This is the filter definition. The 0
eta
indicates a source of “My IP Address” which is the IP address of the client. The
172.16.1.10/255.255.255.255 is the server address with a 32 bit mask. The
-n ESP[3DES,SHA] This is the security method to be used for securing the
tho
•
rr
50101:TCP indicates the destination port.
traffic identified by the filter.
-a PRESHARE:"npotest" This defines the authentication method as pre-shared
key and the key as npotest.
Au
•
-1s 3DES-SHA-2
This defines the security method for key exchange.
•
-w reg This parameter specifies that the policies and rules will be written to the
07
,
•
local registry.
20
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
-p rdppol This parameter specifies the name of the IPSec Policy
•
-r rdprule This parameter specifies the name to use in the IP Filter List and the
te
•
•
Ins
titu
Filter Action.
-x This parameter specifies that the new policy “rdppol” is assigned. In other
words active. Note: To disable a policy, run the same command with a –y
IP Security Monitor
SA
4.4.3.
NS
instead of a –x.
IP Security Monitor is a tool built in to Windows Server 2003 and Window XP Pro. It
©
can be used to monitor the status of any IPSec connections. IP Security Monitor is provided
Greg Farnham
© SANS Institute 2007,
37
Author retains full rights.
.
hts
Windows Remote Desktop Heroes and Villains
ful
l
rig
as an MMC Snap-In. It can be accessed by running MMC and adding the Snap-In.
Start>Run>mmc
•
File>Add/Remove Snap-In
•
Click Add…
•
Select IP Security Monitor
•
Click Add
•
Click Close
•
Click OK
•
Expand the items in the left pain.
•
Select Statistics under Quick Mode
07
,
Au
tho
rr
eta
ins
•
SA
NS
Ins
titu
te
20
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
©
On Windows XP Home with the support tools installed, the following command will
display information similar to IP Security Monitor.
Greg Farnham
© SANS Institute 2007,
38
Author retains full rights.
.
IPSec Summary
ful
l
4.4.4.
rig
ipseccmd localhost show gpo filters policies auth stats sas all
hts
Windows Remote Desktop Heroes and Villains
ins
This section has described the basics of IPSec and how it will be configured to work in
eta
our scenario. Once configured, each user can be given a batch file with the one line required
to configure IPSec to connect to a server. Only clients configured to use IPSec with the pre-
rr
shared key will be able to connect to Remote Desktop and get to the login screen. Authorized
tho
users can carry around a USB flash drive that has the Windows XP Support tools and batch
Au
files to configure IPSec for the servers they need to access. They would then be able to
07
,
install ipseccmd and execute the batch script. Alternatively, if they have they pre shared key,
Key fingerprint
= AF19
FA27 2F94
998D XP
FDB5
DE3D
F8B5
06E4 A169
4E46
they could
configure
Windows
Pro
client
manually.
This
solution meets all of our
te
OpenVPN
Ins
titu
4.5.
20
requirements.
OpenVPN is an Open Source project by James Yonan and is licensed under the GPL
NS
(Wikipedia-OpenVPN, 2006). OpenVPN uses SSL/TLS protocol to provide VPN Services on
multiple platforms including Linux, Windows, Mac and others. OpenVPN is very flexible.
SA
There are over 100 different configuration settings for meeting various needs. OpenVPN
©
supports features such as, client/server VPNs, pre-shared keys, certificates, bridged VPNs,
routed vpns, dhcp server and nat traversal (Yonan, 2003).
Greg Farnham
© SANS Institute 2007,
39
Author retains full rights.
.
hts
Windows Remote Desktop Heroes and Villains
rig
When installed on Windows, OpenVPN creates a TAP-Win32 virtual adapter. This
ful
l
adapter will show up in the Network Connections form and the output of the ipconfig
ins
command. The virtual adapter can be used in tap mode to create bridged VPNs or in tun
eta
mode to create a routed VPN.
For the NPO scenario, a routed VPN will be used. The Remote Desktop server will be
rr
configured with OpenVPN in server mode and the Remote Desktop client will be configured
tho
with OpenVPN in client mode. Peer authentication can be done with Pre-shared keys or
Au
Certificates. OpenVPN installation includes an easy to use certificate server (easy-rsa).
07
,
Since the certificate server is already available, certificates will be used for peer
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
authentication in the NPO scenario. The server will listen on the standard port UDP 1194.
20
Once the VPN tunnel is established, each host will have an IP address on the VPN network
te
(10.8.0.0/24). For the Remote Desktop client to connect to the server, it will use the servers
Ins
titu
VPN network IP (10.8.0.1) instead of its native IP (172.16.1.10) shown in Figure 1. To setup
4.5.1.
NS
OpenVPN, the application must be installed on the server and the client.
Server Configuration
SA
The server installation requires running the installer, generating certificates, editing the
©
configuration file, start OpenVPN and setting the Service to Auto.
Greg Farnham
© SANS Institute 2007,
40
Author retains full rights.
.
Run installer – This is similar to most Windows installation programs. All the
rig
•
hts
Windows Remote Desktop Heroes and Villains
Generate Certificates – This step warrants some additional discussion. For
ins
•
ful
l
defaults work fine for this scenario.
eta
authentication, we will run a certificate authority (CA) on our server. For the
server and each client, we will generate a private key and a Certificate Signing
rr
Requests (CSR). The CA will be used to sign the CSR and generate a
tho
Certificate for the server and each client. The Public Key Infrastructure (PKI) for
Au
OpenVPN is included in the easy-rsa folder. This folder includes a README.txt
07
,
file which outlines the steps. Also included are several batch files which
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
execute the steps we need to perform. These batch files will run openssl with
20
the correct parameters to complete that step in the process. Note: Files in the
te
OpenVPN have linux style end of line characters. Wordpad will correctly
Ins
titu
display the files whereas Notepad will not.
build-ca.bat will generate the CA certificate file ca.crt and the CA private key file
ca.key.
NS
build-dh.bat will generate the DH file dh1024.pem (assuming default of 1024
©
SA
bits).
build-key-server.bat will first generate a Server Certificate Signing Request
server.csr and a Server private key server.key. Next, it will use the CA private
key to sign the server.csr resulting in the Server Certificate file server.crt.
build-key.bat will first generate a Client Certificate Signing Request client.csr
Greg Farnham
© SANS Institute 2007,
41
Author retains full rights.
.
hts
Windows Remote Desktop Heroes and Villains
rig
and a Client private key client.key. Next, it will use the CA private key to sign
the client.csr resulting in the Client Certificate file client.crt. It is important when
ful
l
generating certificates for different clients to use a different common name. The
ins
common name is one of the prompts when executing the batch file.
eta
After generating the certificates and keys, copy the server files,
dh1024.pem and ca files to the config folder under the OpenVPN installation on
tho
rr
the server. The client files and ca.crt should be securely transferred to the
•
Au
client.
Edit the config file – The config file contains settings that are used when starting
07
,
OpenVPN. These settings could also be applied on the command line, but for
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
20
our scenario we will use the config file. The OpenVPN installation includes a
te
sample-config folder. There is a server.ovpn file that will be copied to the config
Ins
titu
folder as the starting point for the server configuration. Important settings are
shown below.
©
SA
NS
# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key). Each client
# and the server must have their own cert and
# key file. The server and all clients will
# use the same ca file.
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
#
#
#
#
Greg Farnham
© SANS Institute 2007,
Configure server mode and supply a VPN subnet
for OpenVPN to draw client addresses from.
The server will take 10.8.0.1 for itself,
the rest will be made available to clients.
42
Author retains full rights.
.
•
rig
ful
l
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.8.0.0 255.255.255.0
hts
Windows Remote Desktop Heroes and Villains
Start OpenVPN – OpenVPN can be started by right-clicking on the server.ovpn
ins
file and selecting “Start OpenVPN on this config file”. A command tool style
eta
window will appear. If everything starts successfully, you will see an
Set Service to Auto – Once everything is working and tested, the service should
tho
•
rr
“Initialization Sequence Completed” message.
Au
be set to auto start. Select Start>Run>services.msc. Right-click the OpenVPN
07
,
Service and select Properties. Change the Startup Type to Automatic and click
20
Key fingerprint = AF19
FA27
2F94 998Dthe
FDB5
DE3D F8B5
06E4 A169
4E46 Start.
OK.
Right-click
OpenVPN
Service
and select
Client Configuration
te
4.5.2.
Ins
titu
The client installation requires running the installer, copying certificate files from server,
editing the configuration file, start OpenVPN and Set Service to Auto.
NS
The client installation is similar to the server installation and uses the same installation
executable. For the client, the certificate can be generated on the server and securely copied
©
SA
to the client. The main difference is the config file.
•
Edit the config file – The config file contains settings that are used when starting
Greg Farnham
© SANS Institute 2007,
43
Author retains full rights.
.
hts
Windows Remote Desktop Heroes and Villains
rig
OpenVPN. The OpenVPN installation includes a sample-config folder. There is
ful
l
a client.ovpn file that will be copied to the config folder as the starting point for
ins
the client configuration. Important settings are shown below.
eta
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
tho
rr
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote 172.16.1.10 1194
20
07
,
Au
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
cert client.crt
key client.key
Firewall Configuration
Ins
titu
te
4.5.3.
With the OpenVPN connection, our authorized clients will always be connecting to the
Remote Desktop port using the VPN Network (10.8.0.0/24). Therefore, we can change the
NS
scope of the rule allowing access to the RDP port to only allow the VPN Network. This is
©
SA
done with the following steps on the Server.
•
Start>Control Panel>Windows Firewall
•
Click on the Exceptions Tab.
•
Select our custom RDP Exception.
Greg Farnham
© SANS Institute 2007,
44
Author retains full rights.
.
Click on Edit, Click on Change Scope
•
Select Custom list: and enter 10.8.0.0/255.255.255.0
•
Click Ok, Click Ok, Click Ok.
07
,
Au
tho
rr
eta
ins
ful
l
•
rig
hts
Windows Remote Desktop Heroes and Villains
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
20
This configuration will block unauthorized clients from connecting to the Remote
Ins
titu
te
Desktop Port while still allowing authorized clients through the OpenVPN connection.
4.5.4.
OpenVPN Summary
This section has described the basics of OpenVPN and how it will be configured to
NS
work in our scenario. Once configured, each user can be given a client certificate that is
SA
signed by our servers CA server. Only clients that have a certificate signed by our CA Server
©
will be allowed to connect to open VPN. Since the firewall is configured to only allow RDP
connections from the VPN Network, only users connected to OpenVPN will be allowed to
Greg Farnham
© SANS Institute 2007,
45
Author retains full rights.
.
hts
Windows Remote Desktop Heroes and Villains
rig
connect to Remote Desktop. Authorized users can carry around a USB flash drive that has
ful
l
OpenVPN, their client certificate files and their client.ovpn config file. They would then be
ins
able to install OpenVPN and connect to the Remote Desktop server from any PC that they
TLS based authentication
rr
4.6.
eta
have Administrator right to. This solution meets all of our requirements.
tho
TLS authentication is a solution provided by Microsoft to mitigate the Man in the Middle
Au
attack. It works the same as a web based TLS authentication. A server has a certificate that
07
,
is signed by a trusted Certificate Authority. The client trusts the Certificate Authority, so it
knows that
the server
is the
correct
and
not06E4
an imposter.
Key fingerprint
= AF19
FA27 2F94
998D
FDB5one
DE3D
F8B5
A169 4E46 This solution requires Windows
20
2003 SP1 or higher on the server side and RDP 5.2 or higher on the client side. For the
te
server certificate, it can be obtained one of three ways (Kiaer, 2006). The SelfSSL.exe tool in
Ins
titu
the IIS 6.0 resource kit can be used. An SSL certificate could be signed by a 3rd party CA.
Or, an organization can use an existing Public Key Infrastructure (PKI) such as Microsoft
Certificate Services. After obtaining the certificate, Terminal Services needs to be configured
NS
to use it. On the client side, users can configure one of three options for the Remote
SA
Desktop Connection. They can configure “No authentication”, “Attempt authentication” or
©
“Require authentication”. “Require authentication” would not allow a connection unless the
server’s identity has been authenticated. The client also needs to load the CA’s certificate or
Greg Farnham
© SANS Institute 2007,
46
Author retains full rights.
.
hts
Windows Remote Desktop Heroes and Villains
rig
otherwise already trust the CA.
ful
l
While this solution helps to mitigate the MITM attack, it does not help prevent
ins
unwanted connections to the RDP port. An attacker can configure their client for “No
rr
Future
tho
5.
eta
authentication” and connect whether TLS authentication is used or not.
Microsoft released version 6.0 of the Remote Desktop client with Vista (Microsoft-
Au
925876, 2007). The new features in 6.0 will be available with Server 2008 as well. The 6.0
07
,
client can also be installed on Windows XP SP2, Server 2K3 SP1 and Server 2K3 SP2.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
20
Remote Desktop client 6.0 was released as an automatic update to XP.
te
There are new security related features in RDP 6.0. The first is Terminal Services
Ins
titu
Gateways. A Terminal Services Gateway functions similar to a VPN appliance. Users will
connect to it on port 443 using the RDP 6.0 client. Once connected, they will be able to
access the internal network. The next is “Network Level Authentication” (NLA). NLA
NS
completes user authentication before providing a Remote Desktop connection. This reduces
SA
the resource used by an unauthorized user trying to connect and thus helps mitigate DOS
©
attacks. The other feature is “Server authentication” (Microsoft-92586, 2007) which helps
prevent MITM attacks. Server authentication is performed using Kerberos or Certificates.
Greg Farnham
© SANS Institute 2007,
47
Author retains full rights.
.
hts
Windows Remote Desktop Heroes and Villains
rig
Server authentication uses the same client settings described above in TLS based
ful
l
authentication. The selections have been reworded. In 6.0, they are “Always connect, even if
ins
authentication fails”, “Warn me if authentication fails” and “Don’t connect if authentication
07
,
Au
tho
rr
eta
fails”.
©
SA
NS
Ins
titu
te
20
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Microsoft is making security improvements to Remote Desktop. It is also adding a lot
Greg Farnham
© SANS Institute 2007,
48
Author retains full rights.
.
Traffic Captures
rig
ins
6.
ful
l
of functionality which means opportunity for bugs and vulnerabilities.
hts
Windows Remote Desktop Heroes and Villains
Looking at traffic captures for different connection methods demonstrates the different
rr
to sniff traffic between the client and the server.
eta
ports and protocols used. These captures show what an attacker would see if they were able
tho
The data in Figure 2 shows a traffic capture for a normal RDP connection with no
Au
additional security. In this capture, the client (192.168.1.100) is connecting from port 1234 to
07
,
the server (192.168.1.103) on the custom port of 50101.
©
SA
NS
Ins
titu
te
20
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Figure 2
The data in Figure 3 shows a traffic capture for an RDP connection using IPSec with
Greg Farnham
© SANS Institute 2007,
49
Author retains full rights.
.
hts
Windows Remote Desktop Heroes and Villains
rig
NAT-T. In this capture, the client (192.168.1.100) is connecting to the server (172.16.1.10)
ful
l
using IPSec. The ISAKMP protocol is used to negotiate the tunnel parameters and then
ins
encrypted traffic flows via the ESP protocol. The bottom pane shows a source port of UDP
4500 and a destination port of UDP 4500. This is due to the packets being encapsulated in
07
,
Au
tho
rr
eta
UDP to traverse the NAT per the NAT-T standard.
Figure 3
SA
NS
Ins
titu
te
20
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
The data in Figure 4 shows a traffic capture for an RDP connection using OpenVPN.
©
In this capture, the client (192.168.1.100) is connecting from port 1282 to the server
Greg Farnham
© SANS Institute 2007,
50
Author retains full rights.
.
hts
Windows Remote Desktop Heroes and Villains
rig
(192.168.1.103) on the UDP port 1194. This is the standard port for OpenVPN connections.
Au
tho
rr
eta
ins
ful
l
All of the traffic is encrypted and transported over UDP.
07
,
Figure 4
Summary
te
7.
20
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Ins
titu
This scenario started with NPO’s goals to know the threats from allowing Remote
Desktop access over the internet and identify possible mitigation techniques. Several
NS
different threats and mitigation techniques were analyzed.
SA
Some of the mitigation techniques did not meet the requirements or were insufficient.
SecureRDP has some interesting capabilities, but it does not provide features to meet NPO’s
©
requirements. “TLS Authentication” provides server authentication, but it does not provide
Greg Farnham
© SANS Institute 2007,
51
Author retains full rights.
.
hts
Windows Remote Desktop Heroes and Villains
rig
any features to stop unwanted RDP connections. These two techniques were dropped from
ful
l
consideration.
ins
A number of mitigation techniques will help reduce the risk to accessing Remote
Implement the Policies and Procedures described in Section 4.1. These steps
rr
•
eta
Desktop over the internet. The following actions are recommended.
Implement the Windows Server Configuration changes described in Section 4.2.
Au
•
tho
are easy to implement and will help to reduce risk.
These steps are also easy to implement and will help to reduce risk.
Implement Host Based VPN. There are two viable options considered in this
07
,
•
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
20
paper, IPSec and OpenVPN. Given the small size of the organization, IPSec is
te
recommended. It has a simple implementation and does not require the use of
Ins
titu
a different IP address for connection. OpenVPN is also an acceptable option. It
may be a better fit for larger organizations or if support for Linux clients is
required.
NS
Implementing these recommendations will significantly reduce the risk NPO faces
©
SA
using Remote Desktop over the internet.
Greg Farnham
© SANS Institute 2007,
52
Author retains full rights.
.
rig
References
ful
l
8.
hts
Windows Remote Desktop Heroes and Villains
Aitel, Dave (2007). SPIKE. Retrieved November 22, 2007, from immunitysec.com Web site:
http://www.immunitysec.com/resources-freesoftware.shtml
eta
ins
Cohen, B (2002, September 16). Microsoft Windows XP Professional Remote Desktop Denial Of
Service Vulnerability. Retrieved August 21, 2007, from securityfocus.com Web site:
http://www.securityfocus.com/bid/5713/info
rr
Cohen, B (2002, September 16). Microsoft Windows Encrypted RDP Packet Information Leakage
Vulnerability. Retrieved August 21, 2007, from securityfocus.com Web site:
http://www.securityfocus.com/bid/5711/info
tho
Cohen, B (2002, September 16). Microsoft Windows RDP Keystroke Injection Vulnerability.
Retrieved August 21, 2007, from securityfocus.com Web site:
http://www.securityfocus.com/bid/5712/info
Au
Ferris, T (2005, August 9). Microsoft Windows RDP 'rdpwd.sys' Remote Kernel DoS. Retrieved
November 22, 2007, from security-protocols.com Web site: http://security-protocols.com/spx16-advisory.php
07
,
Forsberg, E (2003, April 1). Microsoft Terminal Services vulnerable to MITM-attacks.. Retrieved
August 12, 2007, from securityfocus.com Web site:
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
http://www.securityfocus.com/archive/1/317244
20
Gates, C (2007, January 4). Tutorial: MS Terminal Server Cracking. Retrieved November 17, 2007,
from ethicalhacker.net Web site: http://www.ethicalhacker.net/content/view/106/24/
Ins
titu
te
Kiaer, M (2006, November 1). How to secure remote desktop connections using TLS/SSL based
authentication. Retrieved September 2, 2007, from WindowsSecurity.com Web site:
http://www.windowsecurity.com/articles/Secure-remote-desktop-connections-TLS-SSL-basedauthentication.html
Martins, L (2001, October 18). Microsoft Windows 2000/NT Terminal Server Service RDP DoS
Vulnerability. Retrieved November 17, 2007, from securityfocus.com Web site:
http://www.securityfocus.com/bid/3445/info
NS
Microsoft-816521, (2007, February 28). HOW TO: Use IPSec Policy to Secure Terminal Services
Communications in Windows Server 2003. Retrieved September 23, 2007, from microsoft.com
Web site: http://support.microsoft.com/kb/816521
©
SA
Microsoft-49ae, (2004, August 10). Windows XP Service Pack 2 Support Tools. Retrieved September
24, 2007, from microsoft.com Web site:
http://www.microsoft.com/downloads/details.aspx?FamilyID=49ae8576-9bb9-4126-9761ba8011fabf38&displaylang=en
Greg Farnham
© SANS Institute 2007,
53
Author retains full rights.
.
hts
Windows Remote Desktop Heroes and Villains
ful
l
rig
Microsoft-818043, (2006, October 26). L2TP/IPsec NAT-T update for Windows XP and Windows
2000. Retrieved September 23, 2007, from microsoft.com Web site:
http://support.microsoft.com/kb/818043
ins
Microsoft-ipseccmd, (2007). Ipseccmd. Retrieved September 29, 2007, from microsoft.com Web site:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/enus/ipsecmd.mspx?mfr=true
eta
Microsoft-Bb742429, (2000, February 17). Step-by-Step Guide to Internet Protocol Security (IPSec).
Retrieved September 29, 2007, from microsoft.com Web site: http://technet.microsoft.com/enus/library/Bb742429.aspx ZZZ not ref
rr
Microsoft-816514, (2006, October 30). How To Configure IPSec Tunneling in Windows Server 2003.
Retrieved September 29, 2007, from microsoft.com Web site:
http://support.microsoft.com/kb/816514 ZZZ not ref
tho
Microsoft-bb45, (2005, November 3). Configuring Remote Desktop. Retrieved November 3, 2007,
from microsoft.com Web site: http://technet.microsoft.com/en-us/library/bb457106.aspx ZZZ
not ref
Au
Microsoft-925876, (2007, October 11). Remote Desktop Connection (Terminal Services Client 6.0).
Retrieved November 3, 2007, from microsoft.com Web site:
http://support.microsoft.com/?kbid=925876
07
,
Microsoft-278845, (2007, February 28). How to Connect to and Shadow the Console Session with
Windows Server 2003 Terminal Services. Retrieved November 3, 2007, from microsoft.com
Web site: http://support.microsoft.com/kb/278845
20
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
te
Microsoft-306759, (2007, January 31). How to change the listening port for Remote Desktop.
Retrieved November 3, 2007, from microsoft.com Web site:
http://support.microsoft.com/kb/306759
Ins
titu
Microsoft-2230, (2005, January 21). Accounts: Rename administrator account. Retrieved November 3,
2007, from microsoft.com Web site:
http://technet2.microsoft.com/windowsserver/en/library/2230ece2-b4f9-4dc9-b08f7d29338c374b1033.mspx?mfr=true
Microsoft-186607, (2007, March 27). Understanding the Remote Desktop Protocol (RDP). Retrieved
November 11, 2007, from microsoft.com Web site: http://support.microsoft.com/kb/186607
SA
NS
Microsoft-92586, (2007, October 11). Remote Desktop Connection (Terminal Services Client 6.0).
Retrieved December 3, 2007, from microsoft.com Web site:
http://support.microsoft.com/kb/925876
Microsoft-aa383, (2007, July 20). Remote Desktop Protocol (RDP). Retrieved August 24, 2007, from
Microsoft Developer Network Web site: http://msdn2.microsoft.com/enus/library/aa383015.aspx
©
Microsoft-netsh, (2005, January 21). Netsh commands for Internet Protocol security. Retrieved
December 3, 2007, from microsoft.com Web site:
Greg Farnham
© SANS Institute 2007,
54
Author retains full rights.
.
hts
Windows Remote Desktop Heroes and Villains
rig
http://technet2.microsoft.com/windowsserver/en/library/c3ae0d03-f18f-40ac-ad33c0d443d5ed901033.mspx?mfr=true
ful
l
Microsoft-techts, (2005, January). Technical Overview of Terminal Services. Retrieved November 11,
2007, from microsoft.com Web site: http://download.microsoft.com/download/7/b/3/7b3aa9574865-427d-9650-789179a5d666/TerminalServerOverview.doc
ins
Microsoft-MS01-006, (2001, January 31). Invalid RDP Data can cause Terminal Server Failure.
Retrieved November 17, 2007, from microsoft.com Web site:
http://www.microsoft.com/technet/security/Bulletin/MS01-006.mspx
rr
eta
Microsoft-MS02-051, (2002, September 18). Microsoft Security Bulletin MS02-051. Retrieved
November 16, 2007, from microsoft.com Web site:
http://www.microsoft.com/technet/security/bulletin/MS02-051.mspx
tho
Microsoft-MS05-041, (2005, August 9). Microsoft Security Bulletin MS05-041. Retrieved November
16, 2007, from microsoft.com Web site:
http://www.microsoft.com/technet/security/Bulletin/MS05-041.mspx
Au
Microsoft-MS01-052, (2001, October 18). Microsoft Security Bulletin MS01-052. Retrieved
November 17, 2007, from microsoft.com Web site:
http://www.microsoft.com/technet/security/bulletin/MS01-052.mspx
07
,
Micrsoft-ra, (2003 March 24). Remote Administration of Windows Servers Using Remote Desktop for
Administration. Retrieved November 16, 2007, from microsoft.com Web site:
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
http://www.microsoft.com/windowsserver2003/techinfo/overview/tsremoteadmin.mspx
20
Microsoft-ipsecfaq, (2006, February 13). IPSec : Frequently Asked Questions. Retrieved October 18,
2007, from microsoft.com Web site:
http://www.microsoft.com/technet/network/ipsec/ipsecfaq.mspx
Ins
titu
te
Montoro, Massimiliano (2005, May 28). Remote Desktop Protocol, the Good the Bad and the Ugly.
Retrieved August 12, 2007
SecureRDP, (2007, July 28). Secure RDP of Windows Terminal Services with 2X SecureRDP.
Retrieved September 15, 2007, from 2x.com Web site: http://www.2x.com/securerdp/windowsterminal-services.html
Wikipedia-OpenVPN, (2006, December). OpenVPN. Retrieved September 6, 2007, from wikipedia.org
Web site: http://en.wikipedia.org/wiki/OpenVPN
NS
Wikipedia-RDP, (2007, November 07). Remote Desktop Protocol. Retrieved
SA
November 11, 2007, from Wikipedia Web site:
http://en.wikipedia.org/wiki/Remote_Desktop_Protocol
©
Yonan , J (2003). Understanding the User-Space VPN: History, Conceptual Foundations, and Practical
Usage. Retrieved September 6, 2007, from openvpn.net Web site:
http://openvpn.net/papers/BLUG-talk/
Greg Farnham
© SANS Institute 2007,
55
Author retains full rights.
Last Updated: June 17th, 2017
Upcoming SANS Penetration Testing
Community SANS Albany SEC560
Albany, NY
Jun 19, 2017 - Jun 24, 2017 Community SANS
SANS Minneapolis 2017
Minneapolis, MN
Jun 19, 2017 - Jun 24, 2017
Live Event
SANS Columbia, MD 2017
Columbia, MD
Jun 26, 2017 - Jul 01, 2017
Live Event
SANS Paris 2017
Paris, France
Jun 26, 2017 - Jul 01, 2017
Live Event
SANS Cyber Defence Canberra 2017
Canberra, Australia
Jun 26, 2017 - Jul 08, 2017
Live Event
SANS London July 2017
Jul 03, 2017 - Jul 08, 2017
Live Event
Cyber Defence Japan 2017
London, United
Kingdom
Tokyo, Japan
Jul 05, 2017 - Jul 15, 2017
Live Event
Community SANS Seattle SEC504
Seattle, WA
Jul 10, 2017 - Jul 15, 2017
Community SANS
SANS Cyber Defence Singapore 2017
Singapore, Singapore
Jul 10, 2017 - Jul 15, 2017
Live Event
SANS Munich Summer 2017
Munich, Germany
Jul 10, 2017 - Jul 15, 2017
Live Event
SANS ICS & Energy-Houston 2017
Houston, TX
Jul 10, 2017 - Jul 15, 2017
Live Event
SANS Los Angeles - Long Beach 2017
Long Beach, CA
Jul 10, 2017 - Jul 15, 2017
Live Event
Mentor Session - SEC560
Augusta, GA
Jul 12, 2017 - Aug 23, 2017
Mentor
Community SANS Columbia SEC560
Columbia, MD
Jul 17, 2017 - Jul 22, 2017
Community SANS
Community SANS Columbus SEC560
Columbus, OH
Jul 17, 2017 - Jul 22, 2017
Community SANS
Community SANS Ottawa SEC504
Ottawa, ON
Jul 17, 2017 - Jul 22, 2017
Community SANS
SANSFIRE 2017
Washington, DC
Jul 22, 2017 - Jul 29, 2017
Live Event
Community SANS Annapolis SEC504
Annapolis, MD
Jul 24, 2017 - Jul 29, 2017
Community SANS
Community SANS Phoenix SEC504
Phoenix, AZ
Jul 24, 2017 - Jul 29, 2017
Community SANS
Community SANS Des Moines SEC504
Des Moines, IA
Jul 24, 2017 - Jul 29, 2017
Community SANS
Security Awareness Summit & Training 2017
Nashville, TN
Jul 31, 2017 - Aug 09, 2017
Live Event
SANS San Antonio 2017
San Antonio, TX
Aug 06, 2017 - Aug 11, 2017
Live Event
SANS Prague 2017
Prague, Czech Republic
Aug 07, 2017 - Aug 12, 2017
Live Event
SANS Boston 2017
Boston, MA
Aug 07, 2017 - Aug 12, 2017
Live Event
SANS Hyderabad 2017
Hyderabad, India
Aug 07, 2017 - Aug 12, 2017
Live Event
Community SANS Detroit SEC542
Detroit, MI
Aug 07, 2017 - Aug 12, 2017 Community SANS
Community SANS Raleigh SEC504
Raleigh, NC
Aug 07, 2017 - Aug 12, 2017 Community SANS
SANS New York City 2017
New York City, NY
Aug 14, 2017 - Aug 19, 2017
Live Event
Mentor Session - SEC542
Des Moines, IA
Aug 14, 2017 - Sep 13, 2017
Mentor
SANS Salt Lake City 2017
Salt Lake City, UT
Aug 14, 2017 - Aug 19, 2017
Live Event
Community SANS Memphis SEC504
Memphis, TN
Aug 21, 2017 - Aug 26, 2017 Community SANS